def testOwnerInMetadata(self):
vol_uuid = str(uuid.uuid4()).upper()
secret = str(uuid.uuid4()).upper()
base.User(
key_name='*****@*****.**', user=users.get_current_user(),
filevault_perms=[permissions.ESCROW],
).put()
with mock.patch.object(handlers, 'settings') as mock_settings:
mock_settings.XSRF_PROTECTION_ENABLED = False
qs = {
'hdd_serial': 'stub',
'owner': 'stub9',
'platform_uuid': 'stub',
'serial': 'stub',
'json': 1,
}
resp = gae_main.app.get_response(
'/filevault/%s?%s' % (vol_uuid, urllib.urlencode(qs)),
{'REQUEST_METHOD': 'PUT'},
POST=secret)
self.assertIn('successfully escrowed', resp.body)
entity = models.FileVaultVolume.all().filter('owner =', 'stub9').get()
self.assertIsNotNone(entity)
def testByPermSilentWithAudit(self):
vol_uuid = str(uuid.uuid4()).upper()
secret = str(uuid.uuid4())
base.User(
key_name='*****@*****.**',
user=users.get_current_user(),
email='*****@*****.**',
provisioning_perms=[
permissions.RETRIEVE,
permissions.SILENT_RETRIEVE_WITH_AUDIT_EMAIL,
],
).put()
models.ProvisioningVolume(
owners=['stub6'],
hdd_serial='stub',
passphrase=secret,
platform_uuid='stub',
serial='stub',
volume_uuid=vol_uuid,
).put()
with mock.patch.object(util, 'SendEmail') as mock_send_email:
self.testapp.get('/provisioning/%s?json=1' % vol_uuid)
self.assertEqual(1, mock_send_email.call_count)
recipients, _, _ = mock_send_email.call_args[0]
self.assertEqual(['*****@*****.**', '*****@*****.**'],
recipients)
def testOwnerNotInMetadata(self):
vol_uuid = str(uuid.uuid4()).upper()
secret = str(uuid.uuid4()).upper()
base.User(
key_name='*****@*****.**',
user=users.get_current_user(),
filevault_perms=[permissions.ESCROW],
).put()
qs = {
'hdd_serial': '3uDR0LYQmN',
'platform_uuid': 'stub',
'serial': 'stub',
'json': 1,
}
resp = gae_main.app.get_response('/filevault/%s?%s' %
(vol_uuid, urllib.urlencode(qs)),
{'REQUEST_METHOD': 'PUT'},
POST=secret)
self.assertIn('successfully escrowed', resp.body)
entity = models.FileVaultVolume.all().filter('hdd_serial =',
'3uDR0LYQmN').get()
self.assertIsNotNone(entity)
def testByPermRead(self, owner, expected_email):
vol_uuid = str(uuid.uuid4()).upper()
secret = str(uuid.uuid4())
base.User(
key_name='*****@*****.**',
user=users.get_current_user(),
email='*****@*****.**',
provisioning_perms=[permissions.RETRIEVE],
).put()
models.ProvisioningVolume(
owners=[owner],
hdd_serial='stub',
passphrase=secret,
platform_uuid='stub',
serial='stub',
volume_uuid=vol_uuid,
).put()
with mock.patch.object(util, 'SendEmail') as mock_send_email:
self.testapp.get('/provisioning/%s?json=1' % vol_uuid)
self.assertEqual(1, mock_send_email.call_count)
recipients, _, _ = mock_send_email.call_args[0]
self.assertItemsEqual(
['*****@*****.**', expected_email, '*****@*****.**'],
recipients)
def testOwnerInMetadata(self, *_):
vol_uuid = str(uuid.uuid4()).upper()
secret = str(uuid.uuid4()).upper()
base.User(
key_name='*****@*****.**',
user=users.get_current_user(),
filevault_perms=[permissions.ESCROW],
).put()
qs = {
'hdd_serial': 'stub',
'owner': 'stub9',
'platform_uuid': 'stub',
'serial': 'stub',
'json': 1,
}
resp = self.testapp.put('/filevault/%s?%s' %
(vol_uuid, urllib.urlencode(qs)),
params=secret)
self.assertIn('successfully escrowed', resp.body)
entity = models.FileVaultVolume.all().filter(
'owners =', '*****@*****.**').get()
self.assertIsNotNone(entity)
def setUp(self):
super(FileVaultChangeOwnerAccessHandlerTest, self).setUp()
settings.KEY_TYPE_DEFAULT_FILEVAULT = settings.KEY_TYPE_DATASTORE_FILEVAULT
settings.KEY_TYPE_DEFAULT_XSRF = settings.KEY_TYPE_DATASTORE_XSRF
test_util.SetUpTestbedTestCase(self)
self.volume_uuid = '4E6A59FF-3D85-4B1C-A5D5-70F8B8A9B4A0'
self.user = base.User(key_name='*****@*****.**',
user=users.User('*****@*****.**'))
self.user.filevault_perms = [permissions.CHANGE_OWNER]
self.user.put()
fvv = models.FileVaultVolume(
hdd_serial='XX123456',
platform_uuid='A4E75A65-FC39-441C-BEF5-49D9A3DC6BE0',
serial='XX123456',
passphrase='SECRET',
volume_uuid=self.volume_uuid,
created_by=users.User('*****@*****.**'))
volume_id = fvv.put()
self.change_owner_url = '/api/internal/change-owner/filevault/%s/' % (
volume_id)
def testAccessDenied(self):
base.User(
key_name='*****@*****.**', user=users.get_current_user(),
provisioning_perms=[],
).put()
resp = gae_main.app.get_response(
'/created?json=1', {'REQUEST_METHOD': 'GET'})
self.assertEqual(httplib.FORBIDDEN, resp.status_int)
def testFilterResult(self):
base.User(
key_name='*****@*****.**', user=users.get_current_user(),
bitlocker_perms=[permissions.RETRIEVE_OWN],
).put()
resp = util.FromSafeJson(self.testapp.get(
'/search?search_type=bitlocker&field1=owner&value1=stub&json=1').body)
self.assertTrue(resp['results_access_warning'])
self.assertEqual(0, len(resp['passphrases']))
def setUp(self):
super(FileVaultChangeOwnerAccessHandlerTest, self).setUp()
settings.KEY_TYPE_DEFAULT_FILEVAULT = settings.KEY_TYPE_DATASTORE_FILEVAULT
settings.KEY_TYPE_DEFAULT_XSRF = settings.KEY_TYPE_DATASTORE_XSRF
self.volume_uuid = '4E6A59FF-3D85-4B1C-A5D5-70F8B8A9B4A0'
self.user = base.User(key_name='*****@*****.**',
user=users.User('*****@*****.**'))
self.user.filevault_perms = [permissions.CHANGE_OWNER]
self.user.put()
self.volume_id = self._EscrowPassphrase('SECRET')
def _MakeUserEntity(self, email, user_perms):
"""Returns a base.User entity.
Args:
email: str, email address of the user.
user_perms: dict, dict of permission types with lists of db.User
permissions. i.e. {'filevault_perms': [RETRIEVE, ESCROW]}
Returns:
base.User entity.
"""
u = base.User(key_name=email, user=users.User(email=email))
for permission_type in permissions.TYPES:
u.SetPerms(user_perms.get(permission_type, []), permission_type)
return u
def setUp(self):
super(LinuxFirmwarePasswordChangeOwnerTest, self).setUp()
settings.KEY_TYPE_DEFAULT_FILEVAULT = settings.KEY_TYPE_DATASTORE_FILEVAULT
settings.KEY_TYPE_DEFAULT_XSRF = settings.KEY_TYPE_DATASTORE_XSRF
self.user = base.User(key_name='*****@*****.**',
user=users.User('*****@*****.**'))
self.user.linux_firmware_perms = [permissions.CHANGE_OWNER]
self.user.put()
self.manufacturer = 'SampleManufacturer Inc.'
self.serial = 'XX123456'
self.machine_uuid = 'A4E75A65-FC39-441C-BEF5-49D9A3DC6BE0'
self.volume_id = self._EscrowPassphrase('SECRET')
def testSilentRetrieve(self):
vol_uuid = str(uuid.uuid4()).upper()
secret = str(uuid.uuid4())
base.User(
key_name='*****@*****.**', user=users.get_current_user(),
luks_perms=[permissions.SILENT_RETRIEVE, permissions.RETRIEVE],
).put()
models.LuksVolume(
owner='stub', hdd_serial='stub', hostname='stub', passphrase=secret,
platform_uuid='stub', volume_uuid=vol_uuid
).put()
with mock.patch.object(util, 'SendEmail') as mock_send_email:
resp = gae_main.app.get_response('/luks/%s?json=1' % vol_uuid)
mock_send_email.assert_not_called()
self.assertEqual(httplib.OK, resp.status_int)
def testCheckAuthzOwnerFail(self):
vol_uuid = str(uuid.uuid4()).upper()
secret = str(uuid.uuid4())
base.User(
key_name='*****@*****.**', user=users.get_current_user(),
filevault_perms=[permissions.RETRIEVE_OWN],
).put()
models.FileVaultVolume(
owner='stub2', volume_uuid=vol_uuid, passphrase=secret,
hdd_serial='stub', platform_uuid='stub', serial='stub',
).put()
with mock.patch.object(util, 'SendEmail') as _:
resp = gae_main.app.get_response('/filevault/%s?json=1' % vol_uuid)
self.assertEqual(httplib.FORBIDDEN, resp.status_int)
self.assertIn('Access denied.', resp.body)
def testLuksAsOwner(self):
vol_uuid = str(uuid.uuid4()).upper()
secret = str(uuid.uuid4())
base.User(
key_name='*****@*****.**', user=users.get_current_user(),
luks_perms=[permissions.RETRIEVE_OWN],
).put()
models.LuksVolume(
owner='stub7', hdd_serial='stub', hostname='stub', passphrase=secret,
platform_uuid='stub', volume_uuid=vol_uuid
).put()
with mock.patch.object(util, 'SendEmail') as _:
resp = gae_main.app.get_response('/luks/%s?json=1' % vol_uuid)
self.assertEqual(httplib.OK, resp.status_int)
self.assertIn('"passphrase": "%s"' % secret, resp.body)
def testBarcode(self):
vol_uuid = str(uuid.uuid4()).upper()
secret = str(uuid.uuid4())
base.User(
key_name='*****@*****.**', user=users.get_current_user(),
luks_perms=[permissions.RETRIEVE_OWN],
).put()
models.LuksVolume(
owner='stub7', hdd_serial='stub', hostname='stub', passphrase=secret,
platform_uuid='stub', volume_uuid=vol_uuid
).put()
with mock.patch.object(util, 'SendEmail') as _:
resp = gae_main.app.get_response('/luks/%s?json=1' % vol_uuid)
o = util.FromSafeJson(resp.body)
self.assertTrue(o['qr_img_url'])
def testOk(self):
base.User(
key_name='*****@*****.**',
user=users.get_current_user(),
filevault_perms=[permissions.SEARCH],
luks_perms=[permissions.SEARCH],
).put()
resp = gae_main.app.get_response('/api/internal/volume_types',
{'REQUEST_METHOD': 'GET'})
self.assertEqual(httplib.OK, resp.status_int)
data = util.FromSafeJson(resp.body)
volume_fields = {x: y for x, y in data.items() if 'fields' in y}
self.assertEqual(2, len(volume_fields))
def testVolumeUuidValid(self):
vol_uuid = str(uuid.uuid4()).upper()
base.User(
key_name='*****@*****.**', user=users.get_current_user(),
filevault_perms=[permissions.RETRIEVE_OWN],
).put()
models.FileVaultVolume(
owner='stub', volume_uuid=vol_uuid, serial='stub',
passphrase='stub_pass1', hdd_serial='stub', platform_uuid='stub',
).put()
with mock.patch.object(handlers, 'settings') as mock_settings:
mock_settings.XSRF_PROTECTION_ENABLED = False
resp = gae_main.app.get_response('/filevault/%s?json=1' % vol_uuid)
self.assertEqual(httplib.OK, resp.status_int)
self.assertIn('"passphrase": "stub_pass1"', resp.body)
def testCheckAuthzGlobalOk(self):
vol_uuid = str(uuid.uuid4()).upper()
secret = str(uuid.uuid4())
base.User(
key_name='*****@*****.**', user=users.get_current_user(),
filevault_perms=[permissions.RETRIEVE],
).put()
volume_id = models.FileVaultVolume(
owner='stub2', volume_uuid=vol_uuid, passphrase=secret,
hdd_serial='stub', platform_uuid='stub', serial='stub',
).put()
with mock.patch.object(util, 'SendEmail') as _:
resp = gae_main.app.get_response(
'/filevault/%s?json=1&id=%s' % (vol_uuid, volume_id))
self.assertEqual(httplib.OK, resp.status_int)
self.assertIn('"passphrase": "%s"' % secret, resp.body)
def testLuksAsNonOwner(self):
vol_uuid = str(uuid.uuid4()).upper()
secret = str(uuid.uuid4())
base.User(
key_name='*****@*****.**', user=users.get_current_user(),
luks_perms=[permissions.RETRIEVE_OWN],
).put()
models.LuksVolume(
owner='stub5', hdd_serial='stub', hostname='stub', passphrase=secret,
platform_uuid='stub', volume_uuid=vol_uuid
).put()
with mock.patch.object(handlers, 'settings') as mock_settings:
mock_settings.XSRF_PROTECTION_ENABLED = False
with mock.patch.object(util, 'SendEmail') as _:
resp = gae_main.app.get_response('/luks/%s?json=1' % vol_uuid)
self.assertEqual(httplib.FORBIDDEN, resp.status_int)
self.assertIn('Access denied.', resp.body)
def testVolumeUuidValid(self):
vol_uuid = str(uuid.uuid4()).upper()
base.User(
key_name='*****@*****.**', user=users.get_current_user(),
filevault_perms=[permissions.RETRIEVE_OWN],
).put()
models.FileVaultVolume(
owner='stub7', volume_uuid=vol_uuid, serial='stub',
passphrase='stub_pass1', hdd_serial='stub', platform_uuid='stub',
).put()
resp = gae_main.app.get_response('/filevault/%s?json=1' % vol_uuid)
self.assertEqual(httplib.OK, resp.status_int)
self.assertIn('"passphrase": "stub_pass1"', resp.body)
volumes = models.FileVaultVolume.all().fetch(None)
self.assertEqual(1, len(volumes))
self.assertTrue(volumes[0].force_rekeying)
def testWalkthrough(self):
models.ProvisioningVolume.created.auto_now = False
vol_uuid1 = str(uuid.uuid4()).upper()
secret1 = str(uuid.uuid4())
base.User(
key_name='*****@*****.**',
user=users.get_current_user(),
provisioning_perms=[],
).put()
models.ProvisioningVolume(
owner='stub',
created_by=users.get_current_user(),
hdd_serial='stub',
passphrase=secret1,
created=datetime.datetime.now(),
platform_uuid='stub',
serial='stub',
volume_uuid=vol_uuid1,
).put()
old = datetime.datetime.now() - datetime.timedelta(days=365)
models.ProvisioningVolume(owner='stub1',
created_by=users.get_current_user(),
hdd_serial='stub',
passphrase=secret1,
created=old,
platform_uuid='stub',
serial='stub',
volume_uuid=str(uuid.uuid4()).upper()).put()
resp = gae_main.app.get_response('/created?json=1',
{'REQUEST_METHOD': 'GET'})
self.assertEqual(httplib.OK, resp.status_int)
data = util.FromSafeJson(resp.body)
self.assertEqual(1, len(data))
self.assertEqual(secret1, data[0]['passphrase'])
models.ProvisioningVolume.created.auto_now = True
def testLuksAsNonOwner(self):
vol_uuid = str(uuid.uuid4()).upper()
secret = str(uuid.uuid4())
base.User(
key_name='*****@*****.**',
user=users.get_current_user(),
luks_perms=[permissions.RETRIEVE_OWN],
).put()
models.LuksVolume(owners=['stub5'],
hdd_serial='stub',
hostname='stub',
passphrase=secret,
platform_uuid='stub',
volume_uuid=vol_uuid).put()
with mock.patch.object(util, 'SendEmail') as _:
resp = self.testapp.get('/luks/%s?json=1' % vol_uuid,
status=httplib.FORBIDDEN)
self.assertIn('Access denied.', resp.body)
def testBarcodeTooLong(self):
vol_uuid = str(uuid.uuid4()).upper()
secret = str(uuid.uuid4()) * 10
base.User(
key_name='*****@*****.**', user=users.get_current_user(),
luks_perms=[permissions.RETRIEVE_OWN],
).put()
models.LuksVolume(
owner='stub', hdd_serial='stub', hostname='stub', passphrase=secret,
platform_uuid='stub', volume_uuid=vol_uuid
).put()
with mock.patch.object(handlers, 'settings') as mock_settings:
mock_settings.XSRF_PROTECTION_ENABLED = False
with mock.patch.object(util, 'SendEmail') as _:
resp = gae_main.app.get_response('/luks/%s?json=1' % vol_uuid)
o = util.FromSafeJson(resp.body)
self.assertFalse(o['qr_img_url'])
def testCheckAuthzCreatorOk(self):
vol_uuid = str(uuid.uuid4()).upper()
secret = str(uuid.uuid4())
base.User(
key_name='*****@*****.**', user=users.get_current_user(),
filevault_perms=[permissions.RETRIEVE_CREATED_BY],
).put()
models.FileVaultVolume(
owner='stub3',
created_by=users.User('*****@*****.**'),
volume_uuid=vol_uuid, passphrase=secret,
hdd_serial='stub', platform_uuid='stub', serial='stub',
).put()
with mock.patch.object(handlers, 'settings') as mock_settings:
mock_settings.XSRF_PROTECTION_ENABLED = False
with mock.patch.object(util, 'SendEmail') as _:
resp = gae_main.app.get_response('/filevault/%s?json=1' % vol_uuid)
self.assertEqual(httplib.OK, resp.status_int)
self.assertIn('"passphrase": "%s"' % secret, resp.body)
def testProvisioningAsOwner(self):
vol_uuid = str(uuid.uuid4()).upper()
secret = str(uuid.uuid4())
base.User(
key_name='*****@*****.**', user=users.get_current_user(),
provisioning_perms=[permissions.RETRIEVE_OWN],
).put()
models.ProvisioningVolume(
owner='stub', hdd_serial='stub', passphrase=secret,
platform_uuid='stub', serial='stub',
volume_uuid=vol_uuid,
).put()
with mock.patch.object(handlers, 'settings') as mock_settings:
mock_settings.XSRF_PROTECTION_ENABLED = False
with mock.patch.object(util, 'SendEmail') as _:
resp = gae_main.app.get_response(
'/provisioning/%s?json=1' % vol_uuid)
self.assertEqual(httplib.OK, resp.status_int)
self.assertIn('"passphrase": "%s"' % secret, resp.body)
def testProvisioningAsOwner(self):
vol_uuid = str(uuid.uuid4()).upper()
secret = str(uuid.uuid4())
base.User(
key_name='*****@*****.**',
user=users.get_current_user(),
provisioning_perms=[permissions.RETRIEVE_OWN],
).put()
models.ProvisioningVolume(
owners=['stub7'],
hdd_serial='stub',
passphrase=secret,
platform_uuid='stub',
serial='stub',
volume_uuid=vol_uuid,
).put()
with mock.patch.object(util, 'SendEmail') as _:
resp = self.testapp.get('/provisioning/%s?json=1' % vol_uuid,
status=httplib.OK)
self.assertIn('"passphrase": "%s"' % secret, resp.body)
def testCheckAuthzCreatorOk(self):
vol_uuid = str(uuid.uuid4()).upper()
secret = str(uuid.uuid4())
base.User(
key_name='*****@*****.**',
user=users.get_current_user(),
filevault_perms=[permissions.RETRIEVE_CREATED_BY],
).put()
models.FileVaultVolume(
owners=['stub3'],
created_by=users.User('*****@*****.**'),
volume_uuid=vol_uuid,
passphrase=secret,
hdd_serial='stub',
platform_uuid='stub',
serial='stub',
).put()
with mock.patch.object(util, 'SendEmail') as _:
resp = self.testapp.get('/filevault/%s?json=1' % vol_uuid,
status=httplib.OK)
self.assertIn('"passphrase": "%s"' % secret, resp.body)
